1opendnssec_selinux(8)      SELinux Policy opendnssec     opendnssec_selinux(8)
2
3
4

NAME

6       opendnssec_selinux  - Security Enhanced Linux Policy for the opendnssec
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the opendnssec processes  via  flexible
11       mandatory access control.
12
13       The  opendnssec  processes  execute with the opendnssec_t SELinux type.
14       You can check if you have these processes running by executing  the  ps
15       command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep opendnssec_t
20
21
22

ENTRYPOINTS

24       The  opendnssec_t SELinux type can be entered via the opendnssec_exec_t
25       file type.
26
27       The default entrypoint paths for the opendnssec_t domain are  the  fol‐
28       lowing:
29
30       /usr/sbin/ods-signer,   /usr/sbin/ods-control,   /usr/sbin/ods-signerd,
31       /usr/sbin/ods-enforcerd
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       opendnssec policy is  very  flexible  allowing  users  to  setup  their
41       opendnssec processes in as secure a method as possible.
42
43       The following process types are defined for opendnssec:
44
45       opendnssec_t
46
47       Note:  semanage  permissive  -a  opendnssec_t  can  be used to make the
48       process type opendnssec_t permissive. SELinux does not deny  access  to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       opendnssec  policy  is extremely flexible and has several booleans that
56       allow you to manipulate the policy and run opendnssec with the tightest
57       access possible.
58
59
60
61       If you want to allow users to resolve user passwd entries directly from
62       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
63       gin_nsswitch_use_ldap boolean. Disabled by default.
64
65       setsebool -P authlogin_nsswitch_use_ldap 1
66
67
68
69       If you want to allow all daemons to write corefiles to /, you must turn
70       on the daemons_dump_core boolean. Disabled by default.
71
72       setsebool -P daemons_dump_core 1
73
74
75
76       If you want to enable cluster mode for daemons, you must  turn  on  the
77       daemons_enable_cluster_mode boolean. Enabled by default.
78
79       setsebool -P daemons_enable_cluster_mode 1
80
81
82
83       If  you want to allow all daemons to use tcp wrappers, you must turn on
84       the daemons_use_tcp_wrapper boolean. Disabled by default.
85
86       setsebool -P daemons_use_tcp_wrapper 1
87
88
89
90       If you want to allow all daemons the ability to  read/write  terminals,
91       you must turn on the daemons_use_tty boolean. Disabled by default.
92
93       setsebool -P daemons_use_tty 1
94
95
96
97       If  you  want  to deny any process from ptracing or debugging any other
98       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
99       default.
100
101       setsebool -P deny_ptrace 1
102
103
104
105       If  you  want  to  allow  any  process  to mmap any file on system with
106       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
107       ean. Enabled by default.
108
109       setsebool -P domain_can_mmap_files 1
110
111
112
113       If  you want to allow all domains write to kmsg_device, while kernel is
114       executed with systemd.log_target=kmsg parameter, you must turn  on  the
115       domain_can_write_kmsg boolean. Disabled by default.
116
117       setsebool -P domain_can_write_kmsg 1
118
119
120
121       If you want to allow all domains to use other domains file descriptors,
122       you must turn on the domain_fd_use boolean. Enabled by default.
123
124       setsebool -P domain_fd_use 1
125
126
127
128       If you want to allow all domains to have the kernel load  modules,  you
129       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
130       default.
131
132       setsebool -P domain_kernel_load_modules 1
133
134
135
136       If you want to allow all domains to execute in fips_mode, you must turn
137       on the fips_mode boolean. Enabled by default.
138
139       setsebool -P fips_mode 1
140
141
142
143       If you want to enable reading of urandom for all domains, you must turn
144       on the global_ssp boolean. Disabled by default.
145
146       setsebool -P global_ssp 1
147
148
149
150       If you want to allow confined applications to run  with  kerberos,  you
151       must turn on the kerberos_enabled boolean. Enabled by default.
152
153       setsebool -P kerberos_enabled 1
154
155
156
157       If  you  want  to  allow  system  to run with NIS, you must turn on the
158       nis_enabled boolean. Disabled by default.
159
160       setsebool -P nis_enabled 1
161
162
163
164       If you want to allow confined applications to use nscd  shared  memory,
165       you must turn on the nscd_use_shm boolean. Disabled by default.
166
167       setsebool -P nscd_use_shm 1
168
169
170

MANAGED FILES

172       The SELinux process type opendnssec_t can manage files labeled with the
173       following file types.  The paths listed are the default paths for these
174       file types.  Note the processes UID still need to have DAC permissions.
175
176       cluster_conf_t
177
178            /etc/cluster(/.*)?
179
180       cluster_var_lib_t
181
182            /var/lib/pcsd(/.*)?
183            /var/lib/cluster(/.*)?
184            /var/lib/openais(/.*)?
185            /var/lib/pengine(/.*)?
186            /var/lib/corosync(/.*)?
187            /usr/lib/heartbeat(/.*)?
188            /var/lib/heartbeat(/.*)?
189            /var/lib/pacemaker(/.*)?
190
191       cluster_var_run_t
192
193            /var/run/crm(/.*)?
194            /var/run/cman_.*
195            /var/run/rsctmp(/.*)?
196            /var/run/aisexec.*
197            /var/run/heartbeat(/.*)?
198            /var/run/corosync-qnetd(/.*)?
199            /var/run/corosync-qdevice(/.*)?
200            /var/run/cpglockd.pid
201            /var/run/corosync.pid
202            /var/run/rgmanager.pid
203            /var/run/cluster/rgmanager.sk
204
205       ipa_var_lib_t
206
207            /var/lib/ipa(/.*)?
208
209       named_cache_t
210
211            /var/named/data(/.*)?
212            /var/lib/softhsm(/.*)?
213            /var/lib/unbound(/.*)?
214            /var/named/slaves(/.*)?
215            /var/named/dynamic(/.*)?
216            /var/named/chroot/var/tmp(/.*)?
217            /var/named/chroot/var/named/data(/.*)?
218            /var/named/chroot/var/named/slaves(/.*)?
219            /var/named/chroot/var/named/dynamic(/.*)?
220
221       opendnssec_conf_t
222
223            /etc/opendnssec(/.*)?
224
225       opendnssec_tmp_t
226
227
228       opendnssec_var_run_t
229
230            /var/run/opendnssec(/.*)?
231
232       opendnssec_var_t
233
234            /var/opendnssec(/.*)?
235
236       root_t
237
238            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
239            /
240            /initrd
241
242

FILE CONTEXTS

244       SELinux requires files to have an extended attribute to define the file
245       type.
246
247       You can see the context of a file using the -Z option to ls
248
249       Policy governs the access  confined  processes  have  to  these  files.
250       SELinux  opendnssec  policy  is  very  flexible allowing users to setup
251       their opendnssec processes in as secure a method as possible.
252
253       STANDARD FILE CONTEXT
254
255       SELinux defines the file context  types  for  the  opendnssec,  if  you
256       wanted  to store files with these types in a diffent paths, you need to
257       execute the semanage command to sepecify alternate  labeling  and  then
258       use restorecon to put the labels on disk.
259
260       semanage   fcontext   -a  -t  opendnssec_var_t  '/srv/myopendnssec_con‐
261       tent(/.*)?'
262       restorecon -R -v /srv/myopendnssec_content
263
264       Note: SELinux often uses regular expressions  to  specify  labels  that
265       match multiple files.
266
267       The following file types are defined for opendnssec:
268
269
270
271       opendnssec_conf_t
272
273       -  Set  files with the opendnssec_conf_t type, if you want to treat the
274       files as opendnssec configuration data, usually stored under  the  /etc
275       directory.
276
277
278
279       opendnssec_exec_t
280
281       -  Set files with the opendnssec_exec_t type, if you want to transition
282       an executable to the opendnssec_t domain.
283
284
285       Paths:
286            /usr/sbin/ods-signer,  /usr/sbin/ods-control,  /usr/sbin/ods-sign‐
287            erd, /usr/sbin/ods-enforcerd
288
289
290       opendnssec_tmp_t
291
292       -  Set  files  with  the  opendnssec_tmp_t  type,  if you want to store
293       opendnssec temporary files in the /tmp directories.
294
295
296
297       opendnssec_unit_file_t
298
299       - Set files with the opendnssec_unit_file_t type, if you want to  treat
300       the files as opendnssec unit content.
301
302
303       Paths:
304            /usr/lib/systemd/system/ods-signerd.service, /usr/lib/systemd/sys‐
305            tem/ods-enforcerd.service
306
307
308       opendnssec_var_run_t
309
310       - Set files with the opendnssec_var_run_t type, if you  want  to  store
311       the opendnssec files under the /run or /var/run directory.
312
313
314
315       opendnssec_var_t
316
317       -  Set  files  with the opendnssec_var_t type, if you want to store the
318       opendn files under the /var directory.
319
320
321
322       Note: File context can be temporarily modified with the chcon  command.
323       If  you want to permanently change the file context you need to use the
324       semanage fcontext command.  This will modify the SELinux labeling data‐
325       base.  You will need to use restorecon to apply the labels.
326
327

COMMANDS

329       semanage  fcontext  can also be used to manipulate default file context
330       mappings.
331
332       semanage permissive can also be used to manipulate  whether  or  not  a
333       process type is permissive.
334
335       semanage  module can also be used to enable/disable/install/remove pol‐
336       icy modules.
337
338       semanage boolean can also be used to manipulate the booleans
339
340
341       system-config-selinux is a GUI tool available to customize SELinux pol‐
342       icy settings.
343
344

AUTHOR

346       This manual page was auto-generated using sepolicy manpage .
347
348

SEE ALSO

350       selinux(8), opendnssec(8), semanage(8), restorecon(8), chcon(1), sepol‐
351       icy(8) , setsebool(8)
352
353
354
355opendnssec                         19-04-25              opendnssec_selinux(8)
Impressum